path: root/c3/c7795d9b6e0f0abfb4d223ae620424135071ad

Delivery-date: Fri, 28 Mar 2025 17:02:22 -0700
Received: from mail-ot1-f60.google.com ([209.85.210.60])
	by mail.fairlystable.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <bitcoindev+bncBDDJ7LVFRIHRBA7RTS7QMGQELYEXADA@googlegroups.com>)
	id 1tyJeX-00063C-BL
	for bitcoindev@gnusha.org; Fri, 28 Mar 2025 17:02:22 -0700
Received: by mail-ot1-f60.google.com with SMTP id 46e09a7af769-727405aff47sf3167581a34.1
        for <bitcoindev@gnusha.org>; Fri, 28 Mar 2025 17:02:21 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1743206535; cv=pass;
        d=google.com; s=arc-20240605;
        b=K3736a4wOe0X6mJwcqlyCBWi9rHDDgf9J/1AATggFMa5IB8g3qxagSD2tCJ3y2oXJl
         qrKCwdGCisuG7/cAveEBOmRZGNvOcQA1jOLkBTYVIEgXn20INwxvxv5G37gLWOTNu2DA
         dSlV6Q8QVxZuzeLsZgxYN9i8dgye1VMw0TgBJ9TqZCZKywOJs4wv77vH2u34FKfOn+9A
         14EgSj+f8QvhZdKh8AQmNn9po8aD+mWaQXSRnKo8a6itSvQn8+d69bHB4QPDUWWnKUtO
         /yiYkN6g0/U605jQ/Gs+/cORkbhxJupgw92a05vv9NxE53RHNOKaJzrvLybbMDJwwqhe
         kpDQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:content-transfer-encoding:cc:to
         :subject:message-id:date:from:in-reply-to:references:mime-version
         :sender:dkim-signature;
        bh=SMHhO48zJI2DsrRTZkOP/xhWKL1zsC9KGO+q9yCKPdM=;
        fh=wVAligGn63OuaaKgY6I2DGwaUkK9wJJE/Pm1HD19FhE=;
        b=ZjZzZd2EG0tJwITmJwAUO12yHgk8HZu2E4guuL57IiPfjLd2txOQWPkk1NOLb1V6C6
         095yCsTa4x6vwN+1HFiSim5dJLB24gmYKovl8IeEw7+JikJOTlTIgXj4Tdxq+XS3Y9gV
         UqnU+YV3S7myN6iTpwpChDNs+CkdFAnRmnJVP2D8u1NxBkj41IZtP+XqGzUq/zqY5SrP
         PqXfESH4HEX8UUexjfrLYD3kCQ4gMERDUIdLeeIGGUvtmGLM5xVdkzSq5XCDMmSj9UVt
         boV29dyYizGND/+/+5eRD8KLxYZ796SikIgGu3PdgjVLEk79SsH0PzOaY/8kCeCH5mY+
         nqzg==;
        darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       dkim=pass header.i=@woobling.org header.s=google header.b=mBEPVhmA;
       spf=none (google.com: nothingmuch@woobling.org does not designate permitted sender hosts) smtp.mailfrom=nothingmuch@woobling.org;
       dara=pass header.i=@googlegroups.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1743206535; x=1743811335; darn=gnusha.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-authentication-results
         :x-original-sender:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version:sender
         :from:to:cc:subject:date:message-id:reply-to;
        bh=SMHhO48zJI2DsrRTZkOP/xhWKL1zsC9KGO+q9yCKPdM=;
        b=uEQ3WKVb52uyaAmSms5XNUVyxg8CQlDB4Tx7ub/wEJbOaxqIg+Ak1SLoB2dqDF0TiV
         NdwpdABF2ys77pZyAA6Tv+7SGe7uVS5auBzlHLXPjpE/oN2uuEN0GeVwUOGsTKkdzamM
         yFMqC89quyGnwl8vL0TldR/XUPFYXWo4KMvpfAWnqq6JNgWZ+la+KjEqhT+BTPa9rqDf
         +ixg2QLZsdn8WeUlp6PFe+w/IwUUA5/9nOwszk4xUO+Vec12rP8NOXe82cs7IyTVw8vM
         UiVT63Aqg6a+WO5oOTWWsA65i7VAdmm4xzm4pCoOwG0OK1Bnp7lzSTMX/SF4uICbW1Kk
         aYlw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1743206535; x=1743811335;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-authentication-results
         :x-original-sender:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :x-beenthere:x-gm-message-state:sender:from:to:cc:subject:date
         :message-id:reply-to;
        bh=SMHhO48zJI2DsrRTZkOP/xhWKL1zsC9KGO+q9yCKPdM=;
        b=ASwiXeK/5tVpbfqasa2vS4npt+g9gYG7Gwo5F02WZCAKCzq7fymdaLiPHer/WpkoYp
         rvjnsb9a2gXnnwNPrFdTCVMQMhboG9UsusY3QHZXZZNhs57immMyPwD63uLpDOCXUnLe
         4vY6xlXR24vBilFjm6DWS0kK76P+lkB0kGy7uLt2oJC6ehK4po+8Q99L2Nm/qvGMOg8Z
         Zhxpjdgvkz4EJA/YsEJI8Rbfaj1flE1h+ySLV35djVB4bJBAgRKDi0pDJIqFNLy4z5kV
         c3xGxzERbpgDZ85TGwUDI47fKVUyAvjQ4PAertkgxr9Z1vGGPU55GOPLhnZN7016HZo7
         wUJA==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCXNsZUKdJQkXBRyPmrrxV3BaTtNxEd1IuKbOKypsCyJM17ITZRFtJHpJm57ehaKlL4f7zo2m11cBgrf@gnusha.org
X-Gm-Message-State: AOJu0YzKMb6hZiAQCCK2B4fr9ZUeI/oeRkiE8CtVUeUCTIrui0YNBXzJ
	MeuKBsYZn20s3JwTqAoxI9wOz6vTkpZnbztOolTiOUnPUIffOIJu
X-Google-Smtp-Source: AGHT+IGT0RkkO+v0SjUR6993b530MPS4nH3ZM2OaPjqbQSrQf8aKqVzpHusguopgbR8GMcpD2fvi6g==
X-Received: by 2002:a05:6830:268b:b0:72b:98f8:5c96 with SMTP id 46e09a7af769-72c637a4335mr940844a34.8.1743206535481;
        Fri, 28 Mar 2025 17:02:15 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com; h=ARLLPAJsAddyXB1vo70vTG614Ia8RCS9UUR8Sgkng3qYWO7YRw==
Received: by 2002:a4a:ddc7:0:b0:602:6b9f:26fa with SMTP id 006d021491bc7-60278db55e9ls1082694eaf.0.-pod-prod-09-us;
 Fri, 28 Mar 2025 17:02:11 -0700 (PDT)
X-Received: by 2002:a05:6808:11d0:b0:3fa:55c7:2497 with SMTP id 5614622812f47-3ff0f5d26b8mr574658b6e.38.1743206531484;
        Fri, 28 Mar 2025 17:02:11 -0700 (PDT)
Received: by 2002:a05:6504:5982:b0:293:32b4:31b9 with SMTP id a1c4a302cd1d6-294bf4a40c2msc7a;
        Fri, 28 Mar 2025 16:41:50 -0700 (PDT)
X-Received: by 2002:a05:6512:32c3:b0:549:8ed4:fb5c with SMTP id 2adb3069b0e04-54b10eccf98mr356647e87.31.1743205307849;
        Fri, 28 Mar 2025 16:41:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1743205307; cv=none;
        d=google.com; s=arc-20240605;
        b=hqpkZWaLw51xwpF3ISy4pk8MD78dwij4hFoxYxGfgwru6EkvXCbJ+J/5pdBSYlv2PQ
         Yc0IwIzkN48eJOuewqKzOWRp8nO6/PomOeGwDI1gNwfk93KH00yEPgM0Nxp8Bm8NJxue
         oOoa1vreUtBkRppgUQEnZVn1Ynl4So/UCPMN3QlQrpN2nuMazKoSYkCD3pwQa4uanZuL
         4QIUyOJSGdHSTGiG5xEEGNYGR35LSE8wVrx6buuUd17U4caEEXcVUJFhRl2Tpe+G2+pg
         w5ZCjrzOBS8oiO455C7sq4Ser8Qms5C50NDW95L5eAw+FjE2/pnbrjS/tDsfjr3tJtkw
         NfAQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=RBC+tmYhh9A4QPAvqQJud0lQZrRfXM1dPnRAxE1UMYg=;
        fh=g98QZbrcGEX3/mSoUYtyNkCj8wY/3lmyR0Rw3EZJdrI=;
        b=G4mOeQ0Fmh9d0u6N+i7pwZube9hSr6JLosGQPrmY4NQyiHLZWOefI26xlrzE5EYQu9
         cO0ugbWEyrHpLi0wkF9B2PK7FyG8qIYBUXNqS2+5xh+i3mSBiQltmKfWZRKC1alOhboc
         JMHFzK6Q5Doc+OQ7kVw1cRRf2M0WszndCK0nXVr5zOu0XHBFu9U0290++IMncJ+mdOVJ
         3yLHod5eXjmvVWxOexPO8qSh4nbxgi0UgclgNApH53yRpYQBpqoz7NYp+mCKEyMookKa
         9hSZO3Fq/XRyfdF8hMv5inj3CbwXt4UegH0zVUSvIOW7pcoFbmL9dVoA2SxTxr/h8Pf9
         i4dg==;
        dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       dkim=pass header.i=@woobling.org header.s=google header.b=mBEPVhmA;
       spf=none (google.com: nothingmuch@woobling.org does not designate permitted sender hosts) smtp.mailfrom=nothingmuch@woobling.org;
       dara=pass header.i=@googlegroups.com
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com. [2a00:1450:4864:20::230])
        by gmr-mx.google.com with ESMTPS id 2adb3069b0e04-54b094c5891si39896e87.5.2025.03.28.16.41.47
        for <bitcoindev@googlegroups.com>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Fri, 28 Mar 2025 16:41:47 -0700 (PDT)
Received-SPF: none (google.com: nothingmuch@woobling.org does not designate permitted sender hosts) client-ip=2a00:1450:4864:20::230;
Received: by mail-lj1-x230.google.com with SMTP id 38308e7fff4ca-30dd5a93b49so10328571fa.0
        for <bitcoindev@googlegroups.com>; Fri, 28 Mar 2025 16:41:47 -0700 (PDT)
X-Gm-Gg: ASbGncsvDCeBuBNZNihNwwdp47l2xb4PpFvoaHJybr3ZFa+KZiQ+gHrcU1insnRgTCi
	haf4mjw5DmWhnsISZ4qEHDbqtnRbw1D1dNgFzPylWPMjBk+yFXQ/v/oShB1D90d4qZsRo/gBC1N
	xRkL67Pvnxjvjqr6bLNRXJ16YahQ==
X-Received: by 2002:a2e:be0f:0:b0:30c:5c6:91e0 with SMTP id
 38308e7fff4ca-30de0231a0cmr4145551fa.2.1743205306698; Fri, 28 Mar 2025
 16:41:46 -0700 (PDT)
MIME-Version: 1.0
References: <450755f1-84c5-4f32-abe0-67087ae884d6n@googlegroups.com>
 <1c7130d4-cbac-4404-968c-9eb7b4e2e4cbn@googlegroups.com> <CALiT-Zrq0Nr9uNWDTMj3=VJ6TCcmeL3s+Jau+nEGHqYqFcfB+g@mail.gmail.com>
 <d0a0e344-d777-49bc-8b3c-a3462f0d6836n@googlegroups.com>
In-Reply-To: <d0a0e344-d777-49bc-8b3c-a3462f0d6836n@googlegroups.com>
From: Yuval Kogman <nothingmuch@woobling.org>
Date: Sat, 29 Mar 2025 00:41:34 +0100
X-Gm-Features: AQ5f1JooHWmMsZ9wk1oRkfwL9HBU6T1SU93fJud3erwOG-QHWrn9JtYJUjkpZbU
Message-ID: <CAAQdECAPmrwF+Ratk0uxgK9-suqQq8WDS2BbQqT4SNT9wyN+QQ@mail.gmail.com>
Subject: Re: [bitcoindev] Re: UTXO probing attack using payjoin
To: "waxwing/ AdamISZ" <ekaggata@gmail.com>, "/dev /fd0" <alicexbtong@gmail.com>
Cc: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Original-Sender: nothingmuch@woobling.org
X-Original-Authentication-Results: gmr-mx.google.com;       dkim=pass
 header.i=@woobling.org header.s=google header.b=mBEPVhmA;       spf=none
 (google.com: nothingmuch@woobling.org does not designate permitted sender
 hosts) smtp.mailfrom=nothingmuch@woobling.org;       dara=pass header.i=@googlegroups.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.8 (/)

On Wed, 26 Mar 2025 at 20:26, /dev /fd0 <alicexbtong@gmail.com> wrote:
> Coin control and labels can be used to avoid this. Consolidation of input=
s is often bad for privacy and makes silent payments, coinjoin etc. useless=
 in some cases however the user has the choice to select coins manually whi=
le transacting. In payjoin, users can't do much about it. They have to shar=
e UTXOs in response to the original PSBT along with the address to receive =
bitcoin.

In the protocol specifications the receiver is not required to opt-in
to a payjoin in order to get paid, and can just broadcast transaction
they receive from the sender. 0 conf considerations are the same in
either scenario. If the receiver opts in to payjoining, labeling or
other information can be taken into account when selecting coins. BIP
77 arguably even allows for manual coin control, since the protocol is
async, but personally I'm very skeptical that coin control is an
effective tool for preventing such leaks, not just in the context of
payjoin.

> It could be a workaround or temporary fix for this problem. However, if s=
wapped coins are used in transactions, octojoin could be a better solution =
which doesn't require any inputs from the recipient.

My point was more that this problem is inherent in any on-chain
payment, i.e. even if a payjoin receiver opts out and does not reveal
a UTXO in the payjoin protocol, they are fairly likely to reveal more
or less the same information in the next transaction.

> The recipient would never doubt a sender who insists on using payjoin and=
 not interested in a normal bitcoin transaction. They would not know the in=
tentions of the sender before payjoin.

I don't follow. What does "never doubt" or "insist" mean? Receivers
signal payjoin support, senders can choose to act on that if they
understand it, and then receivers can choose to opt out, it's only at
this 3rd step that the receiver reveals the information, and this is
true of BIPs 79, 78 and 77.

> It was costless in the demo which could be fixed by bullbitcoin.
...
> or nothing if it's payjoin transaction

Not according to the protocol specifications. Transaction replacement
can only be costless if the attacker controls a majority of the
network hashrate.

Receivers can determine a minimum contribution below which they simply
broadcast the fallback transaction, that sets a cost for the attacker.
Receivers also generate BIP 21 payment request URIs, presumably in
some context, and payjoin proposals bind strongly to those URIs in BIP
77, so the receiver can discern and apply a context dependent policy,
allowing the costs to be reduced if there is indeed trust in the
sender, but that's not required.

> However, an attacker with a budget and some motivation can always spy on =
your wallet using payjoin. Things become even easier with automated payment=
 systems such as BTCPay Server.

The problem that this particular demonstration shows is that the
bullbitcoin mobile app doesn't yet fully implement the protocol.
Secondly, it's not an automated system, but a manual peer to peer
workflow, so the receiver using the bullbitcoin mobile app would need
to actively and manually participate in facilitating the attack.
Hopefully broadcast of the fallback transaction which enforces
costlessness will be implemented, but the absence of that behavior is
more to do with the beta status of the software, not the lack of
consideration for these attacks in payjoin specifications.

In the automated merchant setting, the policy should be more
conservative, but automatic broadcasting of the fallback transaction
is strongly implied by BIPs 79, 78 and 77.

On Fri, 28 Mar 2025 at 20:45, waxwing/ AdamISZ <ekaggata@gmail.com> wrote:
> One other important thing that is discussed  in BIP78, there is a differe=
nce between a "merchant" (or in any case, payment-receiving-server) case vs=
. a peer to peer payments case. In the latter case you cannot simply contin=
uously ask for more and more "invoices" (payjoin urls) from the counterpart=
y. In the former case, you certainly can, and the mitigations mentioned mak=
e sense there to prevent the "utxo collection" algorithm of continuously fa=
iling to complete or double spending, across multiple payment amounts.
...
> With that nuance even your modified-code-sender could be argued not to be=
 an issue, though I think I prefer the BIP78 inclusion of "receiver broadca=
sts after an expiration" being a requirement, not a "MAY".

I agree, this should be made more explicit and the attack model
discussed more clearly, at least in BIP 77.

> And then there's the 10000ft view: if an attacker doesn't mind spending c=
oins, they can just .. do sender-side actual payjoins, over and over, to tr=
y to collect utxos. After all the very first blockchain analysis paper by M=
eiklejohn et al focused on exactly this; see how much info you can get by a=
ctually paying at a merchant.

Indeed. Dust attacks (whether targeting CIOH or Coe's old
rebroadcasting behavior) also fall into the same analysis. Sybil
attacks on coinjoins or coinswap scale differently but also ultimately
reduce to some cost...

Nitpicking, because I happened to chase some references recently and
realized I made a similar mistake claiming Ron & Shamir was first:
Reid & Harringan's "An analysis of anonymity in the bitcoin system"
was published in 2011 and already does some analysis based on CIOH.
This is cited by Ron & Shamir's "Quantitative analysis of the full
bitcoin transaction graph", preprint first uploaded in 2012-10-16,
presented in FC'13 (April), where Androulaki et al's "Evaluating user
privacy in Bitcoin" was also published (preprint dates to 2012-10-25).
Miekeljohn et al's fistful of bitcoins paper cites all three of these
works FWIW, and Ron & Shamir also cites Hamacher & Katzenbeisser's
"Bitcoin - An Analysis", presented at 28c3 but afaict there was no
paper published, the presentation also refers to Reid & Harrigan.

--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
CAAQdECAPmrwF%2BRatk0uxgK9-suqQq8WDS2BbQqT4SNT9wyN%2BQQ%40mail.gmail.com.